Jeff,
On Tue, 28 Jul 2009, Jeff Hulen wrote:
Do any of you know how to set the default ZFS ACLs for newly created
files and folders when those files and folders are created through Samba?
I want to have all new files and folders only inherit extended
(non-trivial) ACLs that are set on the parent folders. But when a file
is created through samba on the zfs file system, it gets mode 744
(trivial) added to it. For directories, it gets mode 755 added to it.
I've tried everything I could find and think of:
1.) Setting a umask.
2.) Editing /etc/sfw/smb.conf 'force create mode' and 'force directory
mode. Then `svcadm restart samba`.
3.) Adding trivial inheritable ACLs to the parent folder.
Changes 1 and 2 had no effect.
In number 3 I got folders to effectively do what I want, but not files.
I set the ACLs of the parent to:
drwx--+ 24 AD+administrator AD+records2132 Jul 28 12:01 records/
user:AD+administrator:rwxpdDaARWcCos:fdi---:allow
user:AD+administrator:rwxpdDaARWcCos:--:allow
group:AD+records:rwxpd-aARWc--s:fdi---:allow
group:AD+records:rwxpd-aARWc--s:--:allow
group:AD+release:r-x---a-R-c---:--:allow
owner@:rwxp---A-W-Co-:fd:allow
group@:rwxp--:fd:deny
everyone@:rwxp---A-W-Co-:fd:deny
Then new directories and files get created like this from a windows
workstation connected to the server:
drwx--+ 2 AD+testuser AD+domain users 2 Jul 28 12:01 test
user:AD+administrator:rwxpdDaARWcCos:fdi---:allow
user:AD+administrator:rwxpdDaARWcCos:--:allow
group:AD+records:rwxpd-aARWc--s:fdi---:allow
group:AD+records:rwxpd-aARWc--s:--:allow
owner@:rwxp---A-W-Co-:fdi---:allow
owner@:---A-W-Co-:--:allow
group@:rwxp--:fdi---:deny
group@:--:--:deny
everyone@:rwxp---A-W-Co-:fdi---:deny
everyone@:---A-W-Co-:--:deny
owner@:--:--:deny
owner@:rwxp---A-W-Co-:--:allow
group@:-w-p--:--:deny
group@:r-x---:--:allow
everyone@:-w-p---A-W-Co-:--:deny
everyone@:r-x---a-R-c--s:--:allow
-rwxr--r--+ 1 AD+testuser AD+domain users 0 Jul 28 12:01 test.txt
user:AD+administrator:rwxpdDaARWcCos:--:allow
group:AD+records:rwxpd-aARWc--s:--:allow
owner@:---A-W-Co-:--:allow
group@:--:--:deny
everyone@:---A-W-Co-:--:deny
owner@:--:--:deny
owner@:rwxp---A-W-Co-:--:allow
group@:-wxp--:--:deny
group@:r-:--:allow
everyone@:-wxp---A-W-Co-:--:deny
everyone@:r-a-R-c--s:--:allow
I need group AD+release to have read-only access to only
specific files within records. I could set that up, but any new files or
folders that are created will be viewable by AD+release. That
would not be acceptable.
Do any of you know how to set the samba file/folder creation ACLS on ZFS
file systems? Or do you have something I could try?
The following setup works quite well for us with a self compiled
Samba 3.0.34 taken from the SFW source tree. The only problem
we ran into was that Microsoft Office sometimes seems to set
permissions on files in an, at least for me, unpredictable way.
smb.conf:
...
[data]
;
; public fileserver share
;
path = /smb/data
comment = user and group directories
public = no
writable = yes
browseable = yes
vfs objects = zfsacl
inherit permissions = yes
inherit acls = yes
store dos attributes = yes
hide dot files = no
nfs4: mode = simple
nfs4: acedup = merge
zfsacl: acesort = dontcare
; delete readonly = yes
;
; set to no else Microsoft Excel/Word cause
permission problems
;
map archive = no
map hidden = no
map read only = no
map system = no
Some zfs properties of the top-level zfs which get inherited to
the children
NAME PROPERTY VALUESOURCE
smb snapdir visible local
smb aclmode groupmaskdefault
smb aclinherit restricted default
smb casesensitivity sensitive-
Now for every group directory reflecting a particular department
such as kizinfra we set permissions as
# ls -ldV kizinfra